CULU: a ClickUp lookup browser extension
Why I finally wrote this down
I spent too many minutes doing tab archaeology. A ticket ID or task name appears in email, Slack, or a pull request. Opening ClickUp, finding the right space, and searching again breaks flow. I wanted select, search, open, from any page, without pasting the workspace token into a content script that every site can see.
CULU was the smallest tool that fixed that habit. It also forced me to learn Manifest V3 service workers and Chrome Web Store review expectations before I shipped larger ClickUp automation nodes.
What it does
Context menu action on selected text.
Queries the ClickUp search API with the workspace token from extension storage.
Opens the matching task or list URL in a focused tab.
Shows clear failure states when the token is missing, the search returns zero hits, or the API rate-limits.
Extension architecture
Manifest V3 moves privileged work into a background service worker. That is the right place for API calls.
Background worker: owns the ClickUp request and token read. Content scripts never see the secret.
Options page: token and workspace defaults in
chrome.storage.sync.Minimal permissions:
contextMenus,storage, and host access scoped to ClickUp API origins.
Keeping the token off content scripts is non-negotiable. Any page you browse can probe a content script. The background worker is the trust boundary.
UX details that mattered
Icon color hints for "token missing" versus "zero hits" saved support back-and-forth. Rate-limit toasts matter when you hammer search from automation-adjacent habits. Silent failures train people to distrust the tool.
Side-project lesson
Polish is not optional for store-distributed tools. Document what you store, why you need each permission, and how to revoke the token. The same discipline later helped when packaging ClickUp-related n8n community nodes: credentials belong in a credential store, never in exported workflow JSON.
Failure modes I keep debugging
Token in a content script "just for MVP": leaks on every page load.
Over-broad host permissions: store review friction and user distrust.
Zero-result with no UI change: people assume the extension is broken.
README that describes a different package: install confusion across sibling ClickUp tools.
Quick review before store submit
Does any content script touch the API token?
Are permissions minimal and explained in the privacy blurb?
Do missing-token and zero-hit states look different?
Can a user revoke access without reinstalling the browser profile?